Mac ransomware caught before large number of computers infected

(Reuters) - The first known ransomware attack on Apple Inc’s (AAPL.O) Mac computers, which was discovered over the weekend, was downloaded more than 6,000 times before the threat was contained, according to a developer whose product was tainted with the malicious software.

Hackers infected Macs with the “KeRanger” ransomware through a tainted copy of Transmission, a popular program for transferring data through the BitTorrent peer-to-peer file sharing network.

So-called ransomware is a type of malicious software that restricts access to a computer system in some way and demands the user pay a ransom to the malware operators to remove the restriction.

KeRanger, which locks data on Macs so users cannot access it, was downloaded about 6,500 times before Apple and developers were able to thwart the threat, said John Clay, a representative for the open-source Transmission project.

That is small compared to the number of ransomware attacks on computers running Microsoft Corp’s (MSFT.O) Windows operating system. Cyber security firm Symantec Corp (SYMC.O) observed some 8.8 million attacks in 2014 alone.

Still, cyber security experts said they expect to see more attacks on Macs as the KeRanger hackers and other groups look for new ways to infect Mac computers.

Related Coverage

“It’s a small number but these things always start small and ramp up huge,” said Fidelis Cybersecurity threat systems manager John Bambenek. “There’s a lot of Mac users out there and a lot of money to be made.”

Symantec, which sells anti-virus software for Macs, warned on its blog that “Mac users should not be complacent.” The post offered tips on protecting against ransomware. (symc.ly/1puolix)

The Transmission project provided few details about how the attack was launched.

“The normal disk image (was) replaced by the compromised one” after the project’s main server was hacked, said Clay.

He added that “security on the server has since been increased” and that the group was in “frequent contact” with Apple as well as Palo Alto Networks, which discovered the ransomware on Friday and immediately notified Apple and Transmission.

An Apple representative said the company quickly took steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs.

An Apple iPhone is pictured next to the logo of Apple in Bordeaux, southwestern France, February 26, 2016. REUTERS/Regis Duvignau

Transmission responded by removing the malicious 2.90 version of its software from its website (www.transmissionbt.com). On Sunday, it released version 2.92, which its website says automatically removes the ransomware from infected Macs.

Forbes earlier reported on the number of KeRanger downloads, citing Clay.